On 7/8/2015 12:01 PM, Steve Midgley wrote:
> My suggestion is to put it in an environment variable and set that
> variable from a shell startup script that is secured with permissions.
> (http://www.postgresql.org/docs/9.4/static/libpq-envars.html)
>
that just moves the problem, now the plaintext password is in a script
file somewhere, AND many OS's let other users see your environment.
> If you can't do that, the only other method I've used is to setup
> Postgres with Ansible, and store the Pg passwords in an ansible vault,
> which is encrypted. Ansible asks for the decrypt key when it runs.
>
how would that work for unattended scripts, such as cron jobs ?
--
john r pierce, recycling bits in santa cruz
